How Online Fraudsters Are Using SAAS in Their Networks

It's now possible for anybody to purchase online criminal services on a monthly fee basis--if you know where to go. As the bad guys get more sophisticated, false bank Web sites are becoming harder to identify from legitimate ones. Even more caution is now needed to stop these frauds, a noted online security expert says.

SANTA CLARA, Calif. -- Apparently, there are some real career paths available in the online fraud business. One can become an identity harvester, a software developer who builds botnets, a delivery middleman, a salesperson--the list is long and resembles legitimate businesses in many ways.

At an analysts' briefing Sept. 25 at EMC's Silicon Valley offices, RSA Security head of new technologies Uri Rivner told attendees that the Internet fraud business has grown so large and enmeshed in legitimate online activities that it is becoming increasingly difficult to tell who's good and who's bad.

Rivner pointed out two recent trends: a) Fraudsters using SAAS (software as a service) models to sell their services to customers for a monthly fee, and b) the appearance of new super-Trojans that hijack legitimate bank Web sites and fool people into entering personal financial information--such as ATM account numbers and personal identification numbers--into the phony Web site.

In describing the hosted fraud model, Rivner said that if a willing participant knows where to go, he or she can simply order a phishing or other criminal business service online and pay a fee per month to participate as an investor in order to share in the "profits."

"This fee at one of these services is $299 per month," Rivner said. "This puts you into the food chain of [identity] harvesters, phony ATM card makers, delivery specialists--a whole infrastructure of criminals.

"There looks to be quite a career path in there for some people. Everybody's a specialist in this realm, and reputation is paramount."

Of course, trusting any of these anonymous folks online is another issue that an "investor" or "customer" has to solve.

The second trend, involving the new Trojans--which can get installed on an unsuspecting computer owner's machine through either opening an executable file or by a browse-by Web site, which is fairly rare--is also a growing problem, Rivner said.

"In this scenario, with the Trojan on the client and working, the user goes to his or her bank's Web site to make a transaction. The Trojan is alerted to this when the site is brought up. When it does show up, it waits for the user to log on, then brings up the false site, which looks very similar to the legitimate one," Rivner said.

"Except there's one difference: The false site has two more lines of information it asks for: an ATM account number and the user's PIN. Once the fraudster gets that info, the account is soon drained," Rivner said.

Rivner advised online bank users never to take the sites they use for granted.

"Keep a close eye out for changes in the site. Make sure that your connection is a secure one," he said. "If anything looks a bit different than usual, that should be a red flag. It's probably a ruse."

Most banks do not ask for account numbers and PINs, he said. That would be the first clue that something's amiss.

Most of these online crooks use IRC (Internet relay chat) to communicate--most often in code--and, naturally, aliases. They build their reputations within the network by getting credit for helping facilitate large fraud deals involving banks, savings and loans, hedge funds and other financial institutions.

More news in the online security sector surfaced Sept. 25, when reports revealed that Neosploit, a black-market hacker exploit kit that many security experts believed had been shut down months ago, has reappeared on the scene and is responsible for an increase in attacks.

Ian Amit, director of security research at Aladdin Knowledge Systems, said that rumors of the kit's "retirement" last summer were off base.

RSA, one of the most well-established software security companies in the world, has shut down about 100,000 online fraud schemes in the last several years, Rivner said.

"But there are still plenty more to get, and there are new ones popping up every day," he said.

Chris Preimesberger was named Editor-in-Chief of Features & Analysis at eWEEK in November 2011. Previously he served eWEEK as Senior Writer, covering a range of IT sectors that include data center systems, cloud computing, storage, virtualization, green IT, e-discovery and IT governance. His blog, Storage Station, is considered a go-to information source. Chris won a national Folio Award for magazine writing in November 2011 for a cover story on Salesforce.com and CEO-founder Marc Benioff, and he has served as a judge for the SIIA Codie Awards since 2005. In previous IT journalism, Chris was a founding editor of both IT Manager's Journal and DevX.com and was managing editor of Software Development magazine. His diverse resume also includes: sportswriter for the Los Angeles Daily News, covering NCAA and NBA basketball, television critic for the Palo Alto Times Tribune, and Sports Information Director at Stanford University. He has served as a correspondent for The Associated Press, covering Stanford and NCAA tournament basketball, since 1983. He has covered a number of major events, including the 1984 Democratic National Convention, a Presidential press conference at the White House in 1993, the Emmy Awards (three times), two Rose Bowls, the Fiesta Bowl, several NCAA men's and women's basketball tournaments, a Formula One Grand Prix auto race, a heavyweight boxing championship bout (Ali vs. Spinks, 1978), and the 1985 Super Bowl. A 1975 graduate of Pepperdine University in Malibu, Calif., Chris has won more than a dozen regional and national awards for his work. He and his wife, Rebecca, have four children and reside in Redwood City, Calif.Follow on Twitter: editingwhiz